We are hiring a new helpdesk person at our company. We want that person to be able to reset passwords in Active Directory and unlock accounts, but not be able to create new accounts. Also, we would like the new person to be able to change NTFS file permissions on our 2008 file server, but not have full administrative rights to the server.

I'm thinking the Active Directory unlock/change passwords shouldn't be too hard to setup, but I'm not sure about the NTFS file permissions. I can't think of a way to allow that without making the account an administrator.

Per JG, delegating authority is the way to go for password management.
File permissions management is allowed by granting full control over a file/folder.

So I would
- create a security group for this type of admin
- delegate password control to the appropriate OU (create the OU if necessary) using the new security group.
- add the new security group to the ACL at the top of the folder structure you want them to be able to modify and grant Full control
- propagate the permissions through the folder structure

Since you mentioned file server, I'm assuming you want to assign permissions to the files - you right click on them and under the security tab you assign them permissions using the users and groups you created on the AD server - they will just be available to you in a list.

Per JG, delegating authority is the way to go for password management.
File permissions management is allowed by granting full control over a file/folder.

So I would
- create a security group for this type of admin
- delegate password control to the appropriate OU (create the OU if necessary) using the new security group.
- add the new security group to the ACL at the top of the folder structure you want them to be able to modify and grant Full control
- propagate the permissions through the folder structure

A 3rd party program might do the job... So that you could enter the creds, and then they could use therm. If your really determined you could use auto it to create an exe so that the login will be hidden, but they could then run various scripts to alter ad.